2 * Copyright (c) 2010-2013, 2016-2019 ARM Limited
5 * The license below extends only to copyright in the software and shall
6 * not be construed as granting a license to any other intellectual
7 * property including but not limited to intellectual property relating
8 * to a hardware implementation of the functionality of the software
9 * licensed hereunder. You may use the software subject to the license
10 * terms below provided that you ensure that this notice is replicated
11 * unmodified and in its entirety in all distributions of the software,
12 * modified or unmodified, in source code or in binary form.
14 * Copyright (c) 2001-2005 The Regents of The University of Michigan
15 * All rights reserved.
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions are
19 * met: redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer;
21 * redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in the
23 * documentation and/or other materials provided with the distribution;
24 * neither the name of the copyright holders nor the names of its
25 * contributors may be used to endorse or promote products derived from
26 * this software without specific prior written permission.
28 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
29 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
30 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
31 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
32 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
33 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
34 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
35 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
36 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
37 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
38 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
45 #include "arch/arm/tlb.hh"
51 #include "arch/arm/faults.hh"
52 #include "arch/arm/pagetable.hh"
53 #include "arch/arm/stage2_lookup.hh"
54 #include "arch/arm/stage2_mmu.hh"
55 #include "arch/arm/system.hh"
56 #include "arch/arm/table_walker.hh"
57 #include "arch/arm/utility.hh"
58 #include "arch/generic/mmapped_ipr.hh"
59 #include "base/inifile.hh"
60 #include "base/str.hh"
61 #include "base/trace.hh"
62 #include "cpu/base.hh"
63 #include "cpu/thread_context.hh"
64 #include "debug/Checkpoint.hh"
65 #include "debug/TLB.hh"
66 #include "debug/TLBVerbose.hh"
67 #include "mem/page_table.hh"
68 #include "mem/request.hh"
69 #include "params/ArmTLB.hh"
70 #include "sim/full_system.hh"
71 #include "sim/process.hh"
74 using namespace ArmISA
;
76 TLB::TLB(const ArmTLBParams
*p
)
77 : BaseTLB(p
), table(new TlbEntry
[p
->size
]), size(p
->size
),
78 isStage2(p
->is_stage2
), stage2Req(false), stage2DescReq(false), _attr(0),
79 directToStage2(false), tableWalker(p
->walker
), stage2Tlb(NULL
),
80 stage2Mmu(NULL
), test(nullptr), rangeMRU(1),
81 aarch64(false), aarch64EL(EL0
), isPriv(false), isSecure(false),
82 isHyp(false), asid(0), vmid(0), hcr(0), dacr(0),
83 miscRegValid(false), miscRegContext(0), curTranType(NormalTran
)
85 const ArmSystem
*sys
= dynamic_cast<const ArmSystem
*>(p
->sys
);
87 tableWalker
->setTlb(this);
89 // Cache system-level properties
90 haveLPAE
= tableWalker
->haveLPAE();
91 haveVirtualization
= tableWalker
->haveVirtualization();
92 haveLargeAsid64
= tableWalker
->haveLargeAsid64();
95 m5opRange
= sys
->m5opRange();
106 if (stage2Mmu
&& !isStage2
)
107 stage2Tlb
= stage2Mmu
->stage2Tlb();
111 TLB::setMMU(Stage2MMU
*m
, MasterID master_id
)
114 tableWalker
->setMMU(m
, master_id
);
118 TLB::translateFunctional(ThreadContext
*tc
, Addr va
, Addr
&pa
)
122 if (directToStage2
) {
124 return stage2Tlb
->translateFunctional(tc
, va
, pa
);
127 TlbEntry
*e
= lookup(va
, asid
, vmid
, isHyp
, isSecure
, true, false,
128 aarch64
? aarch64EL
: EL1
);
136 TLB::finalizePhysical(const RequestPtr
&req
,
137 ThreadContext
*tc
, Mode mode
) const
139 const Addr paddr
= req
->getPaddr();
141 if (m5opRange
.contains(paddr
)) {
142 req
->setFlags(Request::MMAPPED_IPR
| Request::GENERIC_IPR
);
143 req
->setPaddr(GenericISA::iprAddressPseudoInst(
152 TLB::lookup(Addr va
, uint16_t asn
, uint8_t vmid
, bool hyp
, bool secure
,
153 bool functional
, bool ignore_asn
, ExceptionLevel target_el
)
156 TlbEntry
*retval
= NULL
;
158 // Maintaining LRU array
160 while (retval
== NULL
&& x
< size
) {
161 if ((!ignore_asn
&& table
[x
].match(va
, asn
, vmid
, hyp
, secure
, false,
163 (ignore_asn
&& table
[x
].match(va
, vmid
, hyp
, secure
, target_el
))) {
164 // We only move the hit entry ahead when the position is higher
166 if (x
> rangeMRU
&& !functional
) {
167 TlbEntry tmp_entry
= table
[x
];
168 for (int i
= x
; i
> 0; i
--)
169 table
[i
] = table
[i
- 1];
170 table
[0] = tmp_entry
;
180 DPRINTF(TLBVerbose
, "Lookup %#x, asn %#x -> %s vmn 0x%x hyp %d secure %d "
181 "ppn %#x size: %#x pa: %#x ap:%d ns:%d nstid:%d g:%d asid: %d "
183 va
, asn
, retval
? "hit" : "miss", vmid
, hyp
, secure
,
184 retval
? retval
->pfn
: 0, retval
? retval
->size
: 0,
185 retval
? retval
->pAddr(va
) : 0, retval
? retval
->ap
: 0,
186 retval
? retval
->ns
: 0, retval
? retval
->nstid
: 0,
187 retval
? retval
->global
: 0, retval
? retval
->asid
: 0,
188 retval
? retval
->el
: 0);
193 // insert a new TLB entry
195 TLB::insert(Addr addr
, TlbEntry
&entry
)
197 DPRINTF(TLB
, "Inserting entry into TLB with pfn:%#x size:%#x vpn: %#x"
198 " asid:%d vmid:%d N:%d global:%d valid:%d nc:%d xn:%d"
199 " ap:%#x domain:%#x ns:%d nstid:%d isHyp:%d\n", entry
.pfn
,
200 entry
.size
, entry
.vpn
, entry
.asid
, entry
.vmid
, entry
.N
,
201 entry
.global
, entry
.valid
, entry
.nonCacheable
, entry
.xn
,
202 entry
.ap
, static_cast<uint8_t>(entry
.domain
), entry
.ns
, entry
.nstid
,
205 if (table
[size
- 1].valid
)
206 DPRINTF(TLB
, " - Replacing Valid entry %#x, asn %d vmn %d ppn %#x "
207 "size: %#x ap:%d ns:%d nstid:%d g:%d isHyp:%d el: %d\n",
208 table
[size
-1].vpn
<< table
[size
-1].N
, table
[size
-1].asid
,
209 table
[size
-1].vmid
, table
[size
-1].pfn
<< table
[size
-1].N
,
210 table
[size
-1].size
, table
[size
-1].ap
, table
[size
-1].ns
,
211 table
[size
-1].nstid
, table
[size
-1].global
, table
[size
-1].isHyp
,
214 //inserting to MRU position and evicting the LRU one
216 for (int i
= size
- 1; i
> 0; --i
)
217 table
[i
] = table
[i
-1];
221 ppRefills
->notify(1);
225 TLB::printTlb() const
229 DPRINTF(TLB
, "Current TLB contents:\n");
233 DPRINTF(TLB
, " * %s\n", te
->print());
239 TLB::flushAllSecurity(bool secure_lookup
, ExceptionLevel target_el
,
242 DPRINTF(TLB
, "Flushing all TLB entries (%s lookup)\n",
243 (secure_lookup
? "secure" : "non-secure"));
248 const bool el_match
= ignore_el
?
249 true : te
->checkELMatch(target_el
);
251 if (te
->valid
&& secure_lookup
== !te
->nstid
&&
252 (te
->vmid
== vmid
|| secure_lookup
) && el_match
) {
254 DPRINTF(TLB
, " - %s\n", te
->print());
263 // If there's a second stage TLB (and we're not it) then flush it as well
264 // if we're currently in hyp mode
265 if (!isStage2
&& isHyp
) {
266 stage2Tlb
->flushAllSecurity(secure_lookup
, EL1
, true);
271 TLB::flushAllNs(ExceptionLevel target_el
, bool ignore_el
)
273 bool hyp
= target_el
== EL2
;
275 DPRINTF(TLB
, "Flushing all NS TLB entries (%s lookup)\n",
276 (hyp
? "hyp" : "non-hyp"));
281 const bool el_match
= ignore_el
?
282 true : te
->checkELMatch(target_el
);
284 if (te
->valid
&& te
->nstid
&& te
->isHyp
== hyp
&& el_match
) {
286 DPRINTF(TLB
, " - %s\n", te
->print());
295 // If there's a second stage TLB (and we're not it) then flush it as well
296 if (!isStage2
&& !hyp
) {
297 stage2Tlb
->flushAllNs(EL1
, true);
302 TLB::flushMvaAsid(Addr mva
, uint64_t asn
, bool secure_lookup
,
303 ExceptionLevel target_el
)
305 DPRINTF(TLB
, "Flushing TLB entries with mva: %#x, asid: %#x "
306 "(%s lookup)\n", mva
, asn
, (secure_lookup
?
307 "secure" : "non-secure"));
308 _flushMva(mva
, asn
, secure_lookup
, false, target_el
);
313 TLB::flushAsid(uint64_t asn
, bool secure_lookup
, ExceptionLevel target_el
)
315 DPRINTF(TLB
, "Flushing TLB entries with asid: %#x (%s lookup)\n", asn
,
316 (secure_lookup
? "secure" : "non-secure"));
323 if (te
->valid
&& te
->asid
== asn
&& secure_lookup
== !te
->nstid
&&
324 (te
->vmid
== vmid
|| secure_lookup
) &&
325 te
->checkELMatch(target_el
)) {
328 DPRINTF(TLB
, " - %s\n", te
->print());
337 TLB::flushMva(Addr mva
, bool secure_lookup
, ExceptionLevel target_el
)
339 DPRINTF(TLB
, "Flushing TLB entries with mva: %#x (%s lookup)\n", mva
,
340 (secure_lookup
? "secure" : "non-secure"));
341 _flushMva(mva
, 0xbeef, secure_lookup
, true, target_el
);
346 TLB::_flushMva(Addr mva
, uint64_t asn
, bool secure_lookup
,
347 bool ignore_asn
, ExceptionLevel target_el
)
350 // D5.7.2: Sign-extend address to 64 bits
353 bool hyp
= target_el
== EL2
;
355 te
= lookup(mva
, asn
, vmid
, hyp
, secure_lookup
, false, ignore_asn
,
358 if (secure_lookup
== !te
->nstid
) {
359 DPRINTF(TLB
, " - %s\n", te
->print());
363 te
= lookup(mva
, asn
, vmid
, hyp
, secure_lookup
, false, ignore_asn
,
369 TLB::flushIpaVmid(Addr ipa
, bool secure_lookup
, ExceptionLevel target_el
)
372 stage2Tlb
->_flushMva(ipa
, 0xbeef, secure_lookup
, true, target_el
);
378 // We might have unserialized something or switched CPUs, so make
379 // sure to re-read the misc regs.
380 miscRegValid
= false;
384 TLB::takeOverFrom(BaseTLB
*_otlb
)
386 TLB
*otlb
= dynamic_cast<TLB
*>(_otlb
);
387 /* Make sure we actually have a valid type */
390 haveLPAE
= otlb
->haveLPAE
;
391 directToStage2
= otlb
->directToStage2
;
392 stage2Req
= otlb
->stage2Req
;
393 stage2DescReq
= otlb
->stage2DescReq
;
395 /* Sync the stage2 MMU if they exist in both
396 * the old CPU and the new
399 stage2Tlb
&& otlb
->stage2Tlb
) {
400 stage2Tlb
->takeOverFrom(otlb
->stage2Tlb
);
403 panic("Incompatible TLB type!");
412 .name(name() + ".inst_hits")
413 .desc("ITB inst hits")
417 .name(name() + ".inst_misses")
418 .desc("ITB inst misses")
422 .name(name() + ".inst_accesses")
423 .desc("ITB inst accesses")
427 .name(name() + ".read_hits")
428 .desc("DTB read hits")
432 .name(name() + ".read_misses")
433 .desc("DTB read misses")
437 .name(name() + ".read_accesses")
438 .desc("DTB read accesses")
442 .name(name() + ".write_hits")
443 .desc("DTB write hits")
447 .name(name() + ".write_misses")
448 .desc("DTB write misses")
452 .name(name() + ".write_accesses")
453 .desc("DTB write accesses")
457 .name(name() + ".hits")
462 .name(name() + ".misses")
467 .name(name() + ".accesses")
468 .desc("DTB accesses")
472 .name(name() + ".flush_tlb")
473 .desc("Number of times complete TLB was flushed")
477 .name(name() + ".flush_tlb_mva")
478 .desc("Number of times TLB was flushed by MVA")
482 .name(name() + ".flush_tlb_mva_asid")
483 .desc("Number of times TLB was flushed by MVA & ASID")
487 .name(name() + ".flush_tlb_asid")
488 .desc("Number of times TLB was flushed by ASID")
492 .name(name() + ".flush_entries")
493 .desc("Number of entries that have been flushed from TLB")
497 .name(name() + ".align_faults")
498 .desc("Number of TLB faults due to alignment restrictions")
502 .name(name() + ".prefetch_faults")
503 .desc("Number of TLB faults due to prefetch")
507 .name(name() + ".domain_faults")
508 .desc("Number of TLB faults due to domain restrictions")
512 .name(name() + ".perms_faults")
513 .desc("Number of TLB faults due to permissions restrictions")
516 instAccesses
= instHits
+ instMisses
;
517 readAccesses
= readHits
+ readMisses
;
518 writeAccesses
= writeHits
+ writeMisses
;
519 hits
= readHits
+ writeHits
+ instHits
;
520 misses
= readMisses
+ writeMisses
+ instMisses
;
521 accesses
= readAccesses
+ writeAccesses
+ instAccesses
;
525 TLB::regProbePoints()
527 ppRefills
.reset(new ProbePoints::PMU(getProbeManager(), "Refills"));
531 TLB::translateSe(const RequestPtr
&req
, ThreadContext
*tc
, Mode mode
,
532 Translation
*translation
, bool &delay
, bool timing
)
535 Addr vaddr_tainted
= req
->getVaddr();
538 vaddr
= purifyTaggedAddr(vaddr_tainted
, tc
, aarch64EL
, ttbcr
);
540 vaddr
= vaddr_tainted
;
541 Request::Flags flags
= req
->getFlags();
543 bool is_fetch
= (mode
== Execute
);
544 bool is_write
= (mode
== Write
);
547 assert(flags
& MustBeOne
|| req
->isPrefetch());
548 if (sctlr
.a
|| !(flags
& AllowUnaligned
)) {
549 if (vaddr
& mask(flags
& AlignmentMask
)) {
550 // LPAE is always disabled in SE mode
551 return std::make_shared
<DataAbort
>(
553 TlbEntry::DomainType::NoAccess
, is_write
,
554 ArmFault::AlignmentFault
, isStage2
,
561 Process
*p
= tc
->getProcessPtr();
563 if (!p
->pTable
->translate(vaddr
, paddr
))
564 return std::make_shared
<GenericPageTableFault
>(vaddr_tainted
);
565 req
->setPaddr(paddr
);
567 return finalizePhysical(req
, tc
, mode
);
571 TLB::checkPermissions(TlbEntry
*te
, const RequestPtr
&req
, Mode mode
)
573 // a data cache maintenance instruction that operates by MVA does
574 // not generate a Data Abort exeception due to a Permission fault
575 if (req
->isCacheMaintenance()) {
579 Addr vaddr
= req
->getVaddr(); // 32-bit don't have to purify
580 Request::Flags flags
= req
->getFlags();
581 bool is_fetch
= (mode
== Execute
);
582 bool is_write
= (mode
== Write
);
583 bool is_priv
= isPriv
&& !(flags
& UserMode
);
585 // Get the translation type from the actuall table entry
586 ArmFault::TranMethod tranMethod
= te
->longDescFormat
? ArmFault::LpaeTran
587 : ArmFault::VmsaTran
;
589 // If this is the second stage of translation and the request is for a
590 // stage 1 page table walk then we need to check the HCR.PTW bit. This
591 // allows us to generate a fault if the request targets an area marked
592 // as a device or strongly ordered.
593 if (isStage2
&& req
->isPTWalk() && hcr
.ptw
&&
594 (te
->mtype
!= TlbEntry::MemoryType::Normal
)) {
595 return std::make_shared
<DataAbort
>(
596 vaddr
, te
->domain
, is_write
,
597 ArmFault::PermissionLL
+ te
->lookupLevel
,
598 isStage2
, tranMethod
);
601 // Generate an alignment fault for unaligned data accesses to device or
602 // strongly ordered memory
604 if (te
->mtype
!= TlbEntry::MemoryType::Normal
) {
605 if (vaddr
& mask(flags
& AlignmentMask
)) {
607 return std::make_shared
<DataAbort
>(
608 vaddr
, TlbEntry::DomainType::NoAccess
, is_write
,
609 ArmFault::AlignmentFault
, isStage2
,
615 if (te
->nonCacheable
) {
616 // Prevent prefetching from I/O devices.
617 if (req
->isPrefetch()) {
618 // Here we can safely use the fault status for the short
619 // desc. format in all cases
620 return std::make_shared
<PrefetchAbort
>(
621 vaddr
, ArmFault::PrefetchUncacheable
,
622 isStage2
, tranMethod
);
626 if (!te
->longDescFormat
) {
627 switch ((dacr
>> (static_cast<uint8_t>(te
->domain
) * 2)) & 0x3) {
630 DPRINTF(TLB
, "TLB Fault: Data abort on domain. DACR: %#x"
631 " domain: %#x write:%d\n", dacr
,
632 static_cast<uint8_t>(te
->domain
), is_write
);
634 // Use PC value instead of vaddr because vaddr might
635 // be aligned to cache line and should not be the
636 // address reported in FAR
637 return std::make_shared
<PrefetchAbort
>(
639 ArmFault::DomainLL
+ te
->lookupLevel
,
640 isStage2
, tranMethod
);
642 return std::make_shared
<DataAbort
>(
643 vaddr
, te
->domain
, is_write
,
644 ArmFault::DomainLL
+ te
->lookupLevel
,
645 isStage2
, tranMethod
);
647 // Continue with permissions check
650 panic("UNPRED domain\n");
656 // The 'ap' variable is AP[2:0] or {AP[2,1],1b'0}, i.e. always three bits
657 uint8_t ap
= te
->longDescFormat
? te
->ap
<< 1 : te
->ap
;
658 uint8_t hap
= te
->hap
;
660 if (sctlr
.afe
== 1 || te
->longDescFormat
)
664 bool isWritable
= true;
665 // If this is a stage 2 access (eg for reading stage 1 page table entries)
666 // then don't perform the AP permissions check, we stil do the HAP check
673 DPRINTF(TLB
, "Access permissions 0, checking rs:%#x\n",
676 switch ((int)sctlr
.rs
) {
681 abt
= is_write
|| !is_priv
;
697 abt
= !is_priv
&& is_write
;
698 isWritable
= is_priv
;
704 panic("UNPRED premissions\n");
706 abt
= !is_priv
|| is_write
;
715 panic("Unknown permissions %#x\n", ap
);
719 bool hapAbt
= is_write
? !(hap
& 2) : !(hap
& 1);
720 bool xn
= te
->xn
|| (isWritable
&& sctlr
.wxn
) ||
721 (ap
== 3 && sctlr
.uwxn
&& is_priv
);
722 if (is_fetch
&& (abt
|| xn
||
723 (te
->longDescFormat
&& te
->pxn
&& is_priv
) ||
724 (isSecure
&& te
->ns
&& scr
.sif
))) {
726 DPRINTF(TLB
, "TLB Fault: Prefetch abort on permission check. AP:%d "
727 "priv:%d write:%d ns:%d sif:%d sctlr.afe: %d \n",
728 ap
, is_priv
, is_write
, te
->ns
, scr
.sif
,sctlr
.afe
);
729 // Use PC value instead of vaddr because vaddr might be aligned to
730 // cache line and should not be the address reported in FAR
731 return std::make_shared
<PrefetchAbort
>(
733 ArmFault::PermissionLL
+ te
->lookupLevel
,
734 isStage2
, tranMethod
);
735 } else if (abt
| hapAbt
) {
737 DPRINTF(TLB
, "TLB Fault: Data abort on permission check. AP:%d priv:%d"
738 " write:%d\n", ap
, is_priv
, is_write
);
739 return std::make_shared
<DataAbort
>(
740 vaddr
, te
->domain
, is_write
,
741 ArmFault::PermissionLL
+ te
->lookupLevel
,
742 isStage2
| !abt
, tranMethod
);
749 TLB::checkPermissions64(TlbEntry
*te
, const RequestPtr
&req
, Mode mode
,
754 // A data cache maintenance instruction that operates by VA does
755 // not generate a Permission fault unless:
756 // * It is a data cache invalidate (dc ivac) which requires write
757 // permissions to the VA, or
758 // * It is executed from EL0
759 if (req
->isCacheClean() && aarch64EL
!= EL0
&& !isStage2
) {
763 Addr vaddr_tainted
= req
->getVaddr();
764 Addr vaddr
= purifyTaggedAddr(vaddr_tainted
, tc
, aarch64EL
, ttbcr
);
766 Request::Flags flags
= req
->getFlags();
767 bool is_fetch
= (mode
== Execute
);
768 // Cache clean operations require read permissions to the specified VA
769 bool is_write
= !req
->isCacheClean() && mode
== Write
;
770 bool is_atomic
= req
->isAtomic();
771 bool is_priv M5_VAR_USED
= isPriv
&& !(flags
& UserMode
);
773 updateMiscReg(tc
, curTranType
);
775 // If this is the second stage of translation and the request is for a
776 // stage 1 page table walk then we need to check the HCR.PTW bit. This
777 // allows us to generate a fault if the request targets an area marked
778 // as a device or strongly ordered.
779 if (isStage2
&& req
->isPTWalk() && hcr
.ptw
&&
780 (te
->mtype
!= TlbEntry::MemoryType::Normal
)) {
781 return std::make_shared
<DataAbort
>(
782 vaddr_tainted
, te
->domain
, is_write
,
783 ArmFault::PermissionLL
+ te
->lookupLevel
,
784 isStage2
, ArmFault::LpaeTran
);
787 // Generate an alignment fault for unaligned accesses to device or
788 // strongly ordered memory
790 if (te
->mtype
!= TlbEntry::MemoryType::Normal
) {
791 if (vaddr
& mask(flags
& AlignmentMask
)) {
793 return std::make_shared
<DataAbort
>(
795 TlbEntry::DomainType::NoAccess
,
796 is_atomic
? false : is_write
,
797 ArmFault::AlignmentFault
, isStage2
,
803 if (te
->nonCacheable
) {
804 // Prevent prefetching from I/O devices.
805 if (req
->isPrefetch()) {
806 // Here we can safely use the fault status for the short
807 // desc. format in all cases
808 return std::make_shared
<PrefetchAbort
>(
810 ArmFault::PrefetchUncacheable
,
811 isStage2
, ArmFault::LpaeTran
);
815 uint8_t ap
= 0x3 & (te
->ap
); // 2-bit access protection field
819 uint8_t pxn
= te
->pxn
;
820 bool r
= !is_write
&& !is_fetch
;
824 // grant_read is used for faults from an atomic instruction that
825 // both reads and writes from a memory location. From a ISS point
826 // of view they count as read if a read to that address would have
827 // generated the fault; they count as writes otherwise
828 bool grant_read
= true;
829 DPRINTF(TLBVerbose
, "Checking permissions: ap:%d, xn:%d, pxn:%d, r:%d, "
830 "w:%d, x:%d\n", ap
, xn
, pxn
, r
, w
, x
);
833 assert(ArmSystem::haveVirtualization(tc
) && aarch64EL
!= EL2
);
834 // In stage 2 we use the hypervisor access permission bits.
835 // The following permissions are described in ARM DDI 0487A.f
837 uint8_t hap
= 0x3 & te
->hap
;
838 grant_read
= hap
& 0x1;
840 // sctlr.wxn overrides the xn bit
841 grant
= !sctlr
.wxn
&& !xn
;
842 } else if (is_write
) {
851 grant_read
= ap
& 0x1;
852 uint8_t perm
= (ap
<< 2) | (xn
<< 1) | pxn
;
862 grant
= r
|| w
|| (x
&& !sctlr
.wxn
);
883 if (checkPAN(tc
, ap
, req
, mode
)) {
889 uint8_t perm
= (ap
<< 2) | (xn
<< 1) | pxn
;
893 grant
= r
|| w
|| (x
&& !sctlr
.wxn
);
901 // regions that are writeable at EL0 should not be
923 if (hcr
.e2h
&& checkPAN(tc
, ap
, req
, mode
)) {
931 uint8_t perm
= (ap
& 0x2) | xn
;
934 grant
= r
|| w
|| (x
&& !sctlr
.wxn
) ;
956 DPRINTF(TLB
, "TLB Fault: Prefetch abort on permission check. "
957 "AP:%d priv:%d write:%d ns:%d sif:%d "
959 ap
, is_priv
, is_write
, te
->ns
, scr
.sif
, sctlr
.afe
);
960 // Use PC value instead of vaddr because vaddr might be aligned to
961 // cache line and should not be the address reported in FAR
962 return std::make_shared
<PrefetchAbort
>(
964 ArmFault::PermissionLL
+ te
->lookupLevel
,
965 isStage2
, ArmFault::LpaeTran
);
968 DPRINTF(TLB
, "TLB Fault: Data abort on permission check. AP:%d "
969 "priv:%d write:%d\n", ap
, is_priv
, is_write
);
970 return std::make_shared
<DataAbort
>(
971 vaddr_tainted
, te
->domain
,
972 (is_atomic
&& !grant_read
) ? false : is_write
,
973 ArmFault::PermissionLL
+ te
->lookupLevel
,
974 isStage2
, ArmFault::LpaeTran
);
982 TLB::checkPAN(ThreadContext
*tc
, uint8_t ap
, const RequestPtr
&req
, Mode mode
)
984 // The PAN bit has no effect on:
985 // 1) Instruction accesses.
986 // 2) Data Cache instructions other than DC ZVA
987 // 3) Address translation instructions, other than ATS1E1RP and
988 // ATS1E1WP when ARMv8.2-ATS1E1 is implemented. (Unimplemented in
990 // 4) Unprivileged instructions (Unimplemented in gem5)
991 AA64MMFR1 mmfr1
= tc
->readMiscReg(MISCREG_ID_AA64MMFR1_EL1
);
992 if (mmfr1
.pan
&& cpsr
.pan
&& (ap
& 0x1) && mode
!= Execute
&&
993 (!req
->isCacheMaintenance() ||
994 (req
->getFlags() & Request::CACHE_BLOCK_ZERO
))) {
1002 TLB::translateFs(const RequestPtr
&req
, ThreadContext
*tc
, Mode mode
,
1003 Translation
*translation
, bool &delay
, bool timing
,
1004 TLB::ArmTranslationType tranType
, bool functional
)
1006 // No such thing as a functional timing access
1007 assert(!(timing
&& functional
));
1009 updateMiscReg(tc
, tranType
);
1011 Addr vaddr_tainted
= req
->getVaddr();
1014 vaddr
= purifyTaggedAddr(vaddr_tainted
, tc
, aarch64EL
, ttbcr
);
1016 vaddr
= vaddr_tainted
;
1017 Request::Flags flags
= req
->getFlags();
1019 bool is_fetch
= (mode
== Execute
);
1020 bool is_write
= (mode
== Write
);
1021 bool long_desc_format
= aarch64
|| longDescFormatInUse(tc
);
1022 ArmFault::TranMethod tranMethod
= long_desc_format
? ArmFault::LpaeTran
1023 : ArmFault::VmsaTran
;
1027 DPRINTF(TLBVerbose
, "CPSR is priv:%d UserMode:%d secure:%d S1S2NsTran:%d\n",
1028 isPriv
, flags
& UserMode
, isSecure
, tranType
& S1S2NsTran
);
1030 DPRINTF(TLB
, "translateFs addr %#x, mode %d, st2 %d, scr %#x sctlr %#x "
1031 "flags %#lx tranType 0x%x\n", vaddr_tainted
, mode
, isStage2
,
1032 scr
, sctlr
, flags
, tranType
);
1034 if ((req
->isInstFetch() && (!sctlr
.i
)) ||
1035 ((!req
->isInstFetch()) && (!sctlr
.c
))){
1036 if (!req
->isCacheMaintenance()) {
1037 req
->setFlags(Request::UNCACHEABLE
);
1039 req
->setFlags(Request::STRICT_ORDER
);
1042 assert(flags
& MustBeOne
|| req
->isPrefetch());
1043 if (sctlr
.a
|| !(flags
& AllowUnaligned
)) {
1044 if (vaddr
& mask(flags
& AlignmentMask
)) {
1046 return std::make_shared
<DataAbort
>(
1048 TlbEntry::DomainType::NoAccess
, is_write
,
1049 ArmFault::AlignmentFault
, isStage2
,
1055 // If guest MMU is off or hcr.vm=0 go straight to stage2
1056 if ((isStage2
&& !hcr
.vm
) || (!isStage2
&& !sctlr
.m
)) {
1058 req
->setPaddr(vaddr
);
1059 // When the MMU is off the security attribute corresponds to the
1060 // security state of the processor
1062 req
->setFlags(Request::SECURE
);
1064 // @todo: double check this (ARM ARM issue C B3.2.1)
1065 if (long_desc_format
|| sctlr
.tre
== 0 || nmrr
.ir0
== 0 ||
1066 nmrr
.or0
== 0 || prrr
.tr0
!= 0x2) {
1067 if (!req
->isCacheMaintenance()) {
1068 req
->setFlags(Request::UNCACHEABLE
);
1070 req
->setFlags(Request::STRICT_ORDER
);
1073 // Set memory attributes
1075 temp_te
.ns
= !isSecure
;
1076 if (isStage2
|| hcr
.dc
== 0 || isSecure
||
1077 (isHyp
&& !(tranType
& S1CTran
))) {
1079 temp_te
.mtype
= is_fetch
? TlbEntry::MemoryType::Normal
1080 : TlbEntry::MemoryType::StronglyOrdered
;
1081 temp_te
.innerAttrs
= 0x0;
1082 temp_te
.outerAttrs
= 0x0;
1083 temp_te
.shareable
= true;
1084 temp_te
.outerShareable
= true;
1086 temp_te
.mtype
= TlbEntry::MemoryType::Normal
;
1087 temp_te
.innerAttrs
= 0x3;
1088 temp_te
.outerAttrs
= 0x3;
1089 temp_te
.shareable
= false;
1090 temp_te
.outerShareable
= false;
1092 temp_te
.setAttributes(long_desc_format
);
1093 DPRINTF(TLBVerbose
, "(No MMU) setting memory attributes: shareable: "
1094 "%d, innerAttrs: %d, outerAttrs: %d, isStage2: %d\n",
1095 temp_te
.shareable
, temp_te
.innerAttrs
, temp_te
.outerAttrs
,
1097 setAttr(temp_te
.attributes
);
1099 return testTranslation(req
, mode
, TlbEntry::DomainType::NoAccess
);
1102 DPRINTF(TLBVerbose
, "Translating %s=%#x context=%d\n",
1103 isStage2
? "IPA" : "VA", vaddr_tainted
, asid
);
1104 // Translation enabled
1106 TlbEntry
*te
= NULL
;
1108 Fault fault
= getResultTe(&te
, req
, tc
, mode
, translation
, timing
,
1109 functional
, &mergeTe
);
1110 // only proceed if we have a valid table entry
1111 if ((te
== NULL
) && (fault
== NoFault
)) delay
= true;
1113 // If we have the table entry transfer some of the attributes to the
1114 // request that triggered the translation
1116 // Set memory attributes
1118 "Setting memory attributes: shareable: %d, innerAttrs: %d, "
1119 "outerAttrs: %d, mtype: %d, isStage2: %d\n",
1120 te
->shareable
, te
->innerAttrs
, te
->outerAttrs
,
1121 static_cast<uint8_t>(te
->mtype
), isStage2
);
1122 setAttr(te
->attributes
);
1124 if (te
->nonCacheable
&& !req
->isCacheMaintenance())
1125 req
->setFlags(Request::UNCACHEABLE
);
1127 // Require requests to be ordered if the request goes to
1128 // strongly ordered or device memory (i.e., anything other
1129 // than normal memory requires strict order).
1130 if (te
->mtype
!= TlbEntry::MemoryType::Normal
)
1131 req
->setFlags(Request::STRICT_ORDER
);
1133 Addr pa
= te
->pAddr(vaddr
);
1136 if (isSecure
&& !te
->ns
) {
1137 req
->setFlags(Request::SECURE
);
1139 if ((!is_fetch
) && (vaddr
& mask(flags
& AlignmentMask
)) &&
1140 (te
->mtype
!= TlbEntry::MemoryType::Normal
)) {
1141 // Unaligned accesses to Device memory should always cause an
1142 // abort regardless of sctlr.a
1144 return std::make_shared
<DataAbort
>(
1146 TlbEntry::DomainType::NoAccess
, is_write
,
1147 ArmFault::AlignmentFault
, isStage2
,
1151 // Check for a trickbox generated address fault
1152 if (fault
== NoFault
)
1153 fault
= testTranslation(req
, mode
, te
->domain
);
1156 if (fault
== NoFault
) {
1157 // Don't try to finalize a physical address unless the
1158 // translation has completed (i.e., there is a table entry).
1159 return te
? finalizePhysical(req
, tc
, mode
) : NoFault
;
1166 TLB::translateAtomic(const RequestPtr
&req
, ThreadContext
*tc
, Mode mode
,
1167 TLB::ArmTranslationType tranType
)
1169 updateMiscReg(tc
, tranType
);
1171 if (directToStage2
) {
1173 return stage2Tlb
->translateAtomic(req
, tc
, mode
, tranType
);
1179 fault
= translateFs(req
, tc
, mode
, NULL
, delay
, false, tranType
);
1181 fault
= translateSe(req
, tc
, mode
, NULL
, delay
, false);
1187 TLB::translateFunctional(const RequestPtr
&req
, ThreadContext
*tc
, Mode mode
,
1188 TLB::ArmTranslationType tranType
)
1190 updateMiscReg(tc
, tranType
);
1192 if (directToStage2
) {
1194 return stage2Tlb
->translateFunctional(req
, tc
, mode
, tranType
);
1200 fault
= translateFs(req
, tc
, mode
, NULL
, delay
, false, tranType
, true);
1202 fault
= translateSe(req
, tc
, mode
, NULL
, delay
, false);
1208 TLB::translateTiming(const RequestPtr
&req
, ThreadContext
*tc
,
1209 Translation
*translation
, Mode mode
, TLB::ArmTranslationType tranType
)
1211 updateMiscReg(tc
, tranType
);
1213 if (directToStage2
) {
1215 stage2Tlb
->translateTiming(req
, tc
, translation
, mode
, tranType
);
1219 assert(translation
);
1221 translateComplete(req
, tc
, translation
, mode
, tranType
, isStage2
);
1225 TLB::translateComplete(const RequestPtr
&req
, ThreadContext
*tc
,
1226 Translation
*translation
, Mode mode
, TLB::ArmTranslationType tranType
,
1232 fault
= translateFs(req
, tc
, mode
, translation
, delay
, true, tranType
);
1234 fault
= translateSe(req
, tc
, mode
, translation
, delay
, true);
1235 DPRINTF(TLBVerbose
, "Translation returning delay=%d fault=%d\n", delay
, fault
!=
1237 // If we have a translation, and we're not in the middle of doing a stage
1238 // 2 translation tell the translation that we've either finished or its
1239 // going to take a while. By not doing this when we're in the middle of a
1240 // stage 2 translation we prevent marking the translation as delayed twice,
1241 // one when the translation starts and again when the stage 1 translation
1243 if (translation
&& (callFromS2
|| !stage2Req
|| req
->hasPaddr() || fault
!= NoFault
)) {
1245 translation
->finish(fault
, req
, tc
, mode
);
1247 translation
->markDelayed();
1253 TLB::getTableWalkerPort()
1255 return &stage2Mmu
->getDMAPort();
1259 TLB::updateMiscReg(ThreadContext
*tc
, ArmTranslationType tranType
)
1261 // check if the regs have changed, or the translation mode is different.
1262 // NOTE: the tran type doesn't affect stage 2 TLB's as they only handle
1263 // one type of translation anyway
1264 if (miscRegValid
&& miscRegContext
== tc
->contextId() &&
1265 ((tranType
== curTranType
) || isStage2
)) {
1269 DPRINTF(TLBVerbose
, "TLB variables changed!\n");
1270 cpsr
= tc
->readMiscReg(MISCREG_CPSR
);
1272 // Dependencies: SCR/SCR_EL3, CPSR
1273 isSecure
= inSecureState(tc
) &&
1274 !(tranType
& HypMode
) && !(tranType
& S1S2NsTran
);
1276 aarch64EL
= tranTypeEL(cpsr
, tranType
);
1277 aarch64
= isStage2
?
1279 ELIs64(tc
, aarch64EL
== EL0
? EL1
: aarch64EL
);
1281 if (aarch64
) { // AArch64
1282 // determine EL we need to translate in
1283 switch (aarch64EL
) {
1287 sctlr
= tc
->readMiscReg(MISCREG_SCTLR_EL1
);
1288 ttbcr
= tc
->readMiscReg(MISCREG_TCR_EL1
);
1289 uint64_t ttbr_asid
= ttbcr
.a1
?
1290 tc
->readMiscReg(MISCREG_TTBR1_EL1
) :
1291 tc
->readMiscReg(MISCREG_TTBR0_EL1
);
1292 asid
= bits(ttbr_asid
,
1293 (haveLargeAsid64
&& ttbcr
.as
) ? 63 : 55, 48);
1297 sctlr
= tc
->readMiscReg(MISCREG_SCTLR_EL2
);
1298 ttbcr
= tc
->readMiscReg(MISCREG_TCR_EL2
);
1302 sctlr
= tc
->readMiscReg(MISCREG_SCTLR_EL3
);
1303 ttbcr
= tc
->readMiscReg(MISCREG_TCR_EL3
);
1307 hcr
= tc
->readMiscReg(MISCREG_HCR_EL2
);
1308 scr
= tc
->readMiscReg(MISCREG_SCR_EL3
);
1309 isPriv
= aarch64EL
!= EL0
;
1310 if (haveVirtualization
) {
1311 vmid
= bits(tc
->readMiscReg(MISCREG_VTTBR_EL2
), 55, 48);
1312 isHyp
= aarch64EL
== EL2
;
1313 isHyp
|= tranType
& HypMode
;
1314 isHyp
&= (tranType
& S1S2NsTran
) == 0;
1315 isHyp
&= (tranType
& S1CTran
) == 0;
1316 // Work out if we should skip the first stage of translation and go
1317 // directly to stage 2. This value is cached so we don't have to
1318 // compute it for every translation.
1319 stage2Req
= isStage2
||
1320 (hcr
.vm
&& !isHyp
&& !isSecure
&&
1321 !(tranType
& S1CTran
) && (aarch64EL
< EL2
) &&
1322 !(tranType
& S1E1Tran
)); // <--- FIX THIS HACK
1323 stage2DescReq
= isStage2
|| (hcr
.vm
&& !isHyp
&& !isSecure
&&
1325 directToStage2
= !isStage2
&& stage2Req
&& !sctlr
.m
;
1329 directToStage2
= false;
1331 stage2DescReq
= false;
1334 sctlr
= tc
->readMiscReg(snsBankedIndex(MISCREG_SCTLR
, tc
,
1336 ttbcr
= tc
->readMiscReg(snsBankedIndex(MISCREG_TTBCR
, tc
,
1338 scr
= tc
->readMiscReg(MISCREG_SCR
);
1339 isPriv
= cpsr
.mode
!= MODE_USER
;
1340 if (longDescFormatInUse(tc
)) {
1341 uint64_t ttbr_asid
= tc
->readMiscReg(
1342 snsBankedIndex(ttbcr
.a1
? MISCREG_TTBR1
:
1345 asid
= bits(ttbr_asid
, 55, 48);
1346 } else { // Short-descriptor translation table format in use
1347 CONTEXTIDR context_id
= tc
->readMiscReg(snsBankedIndex(
1348 MISCREG_CONTEXTIDR
, tc
,!isSecure
));
1349 asid
= context_id
.asid
;
1351 prrr
= tc
->readMiscReg(snsBankedIndex(MISCREG_PRRR
, tc
,
1353 nmrr
= tc
->readMiscReg(snsBankedIndex(MISCREG_NMRR
, tc
,
1355 dacr
= tc
->readMiscReg(snsBankedIndex(MISCREG_DACR
, tc
,
1357 hcr
= tc
->readMiscReg(MISCREG_HCR
);
1359 if (haveVirtualization
) {
1360 vmid
= bits(tc
->readMiscReg(MISCREG_VTTBR
), 55, 48);
1361 isHyp
= cpsr
.mode
== MODE_HYP
;
1362 isHyp
|= tranType
& HypMode
;
1363 isHyp
&= (tranType
& S1S2NsTran
) == 0;
1364 isHyp
&= (tranType
& S1CTran
) == 0;
1366 sctlr
= tc
->readMiscReg(MISCREG_HSCTLR
);
1368 // Work out if we should skip the first stage of translation and go
1369 // directly to stage 2. This value is cached so we don't have to
1370 // compute it for every translation.
1371 stage2Req
= hcr
.vm
&& !isStage2
&& !isHyp
&& !isSecure
&&
1372 !(tranType
& S1CTran
);
1373 stage2DescReq
= hcr
.vm
&& !isStage2
&& !isHyp
&& !isSecure
;
1374 directToStage2
= stage2Req
&& !sctlr
.m
;
1379 directToStage2
= false;
1380 stage2DescReq
= false;
1383 miscRegValid
= true;
1384 miscRegContext
= tc
->contextId();
1385 curTranType
= tranType
;
1389 TLB::tranTypeEL(CPSR cpsr
, ArmTranslationType type
)
1410 return currEL(cpsr
);
1413 panic("Unknown translation mode!\n");
1418 TLB::getTE(TlbEntry
**te
, const RequestPtr
&req
, ThreadContext
*tc
, Mode mode
,
1419 Translation
*translation
, bool timing
, bool functional
,
1420 bool is_secure
, TLB::ArmTranslationType tranType
)
1422 // In a 2-stage system, the IPA->PA translation can be started via this
1423 // call so make sure the miscRegs are correct.
1425 updateMiscReg(tc
, tranType
);
1427 bool is_fetch
= (mode
== Execute
);
1428 bool is_write
= (mode
== Write
);
1430 Addr vaddr_tainted
= req
->getVaddr();
1432 ExceptionLevel target_el
= aarch64
? aarch64EL
: EL1
;
1434 vaddr
= purifyTaggedAddr(vaddr_tainted
, tc
, target_el
, ttbcr
);
1436 vaddr
= vaddr_tainted
;
1438 *te
= lookup(vaddr
, asid
, vmid
, isHyp
, is_secure
, false, false, target_el
);
1440 if (req
->isPrefetch()) {
1441 // if the request is a prefetch don't attempt to fill the TLB or go
1442 // any further with the memory access (here we can safely use the
1443 // fault status for the short desc. format in all cases)
1445 return std::make_shared
<PrefetchAbort
>(
1446 vaddr_tainted
, ArmFault::PrefetchTLBMiss
, isStage2
);
1456 // start translation table walk, pass variables rather than
1457 // re-retreaving in table walker for speed
1458 DPRINTF(TLB
, "TLB Miss: Starting hardware table walker for %#x(%d:%d)\n",
1459 vaddr_tainted
, asid
, vmid
);
1461 fault
= tableWalker
->walk(req
, tc
, asid
, vmid
, isHyp
, mode
,
1462 translation
, timing
, functional
, is_secure
,
1463 tranType
, stage2DescReq
);
1464 // for timing mode, return and wait for table walk,
1465 if (timing
|| fault
!= NoFault
) {
1469 *te
= lookup(vaddr
, asid
, vmid
, isHyp
, is_secure
, false, false, target_el
);
1485 TLB::getResultTe(TlbEntry
**te
, const RequestPtr
&req
,
1486 ThreadContext
*tc
, Mode mode
,
1487 Translation
*translation
, bool timing
, bool functional
,
1493 // We are already in the stage 2 TLB. Grab the table entry for stage
1494 // 2 only. We are here because stage 1 translation is disabled.
1495 TlbEntry
*s2Te
= NULL
;
1496 // Get the stage 2 table entry
1497 fault
= getTE(&s2Te
, req
, tc
, mode
, translation
, timing
, functional
,
1498 isSecure
, curTranType
);
1499 // Check permissions of stage 2
1500 if ((s2Te
!= NULL
) && (fault
== NoFault
)) {
1502 fault
= checkPermissions64(s2Te
, req
, mode
, tc
);
1504 fault
= checkPermissions(s2Te
, req
, mode
);
1510 TlbEntry
*s1Te
= NULL
;
1512 Addr vaddr_tainted
= req
->getVaddr();
1514 // Get the stage 1 table entry
1515 fault
= getTE(&s1Te
, req
, tc
, mode
, translation
, timing
, functional
,
1516 isSecure
, curTranType
);
1517 // only proceed if we have a valid table entry
1518 if ((s1Te
!= NULL
) && (fault
== NoFault
)) {
1519 // Check stage 1 permissions before checking stage 2
1521 fault
= checkPermissions64(s1Te
, req
, mode
, tc
);
1523 fault
= checkPermissions(s1Te
, req
, mode
);
1524 if (stage2Req
& (fault
== NoFault
)) {
1525 Stage2LookUp
*s2Lookup
= new Stage2LookUp(this, stage2Tlb
, *s1Te
,
1526 req
, translation
, mode
, timing
, functional
, curTranType
);
1527 fault
= s2Lookup
->getTe(tc
, mergeTe
);
1528 if (s2Lookup
->isComplete()) {
1530 // We've finished with the lookup so delete it
1533 // The lookup hasn't completed, so we can't delete it now. We
1534 // get round this by asking the object to self delete when the
1535 // translation is complete.
1536 s2Lookup
->setSelfDelete();
1539 // This case deals with an S1 hit (or bypass), followed by
1540 // an S2 hit-but-perms issue
1542 DPRINTF(TLBVerbose
, "s2TLB: reqVa %#x, reqPa %#x, fault %p\n",
1543 vaddr_tainted
, req
->hasPaddr() ? req
->getPaddr() : ~0, fault
);
1544 if (fault
!= NoFault
) {
1545 ArmFault
*armFault
= reinterpret_cast<ArmFault
*>(fault
.get());
1546 armFault
->annotate(ArmFault::S1PTW
, false);
1547 armFault
->annotate(ArmFault::OVA
, vaddr_tainted
);
1557 TLB::setTestInterface(SimObject
*_ti
)
1562 TlbTestInterface
*ti(dynamic_cast<TlbTestInterface
*>(_ti
));
1563 fatal_if(!ti
, "%s is not a valid ARM TLB tester\n", _ti
->name());
1569 TLB::testTranslation(const RequestPtr
&req
, Mode mode
,
1570 TlbEntry::DomainType domain
)
1572 if (!test
|| !req
->hasSize() || req
->getSize() == 0 ||
1573 req
->isCacheMaintenance()) {
1576 return test
->translationCheck(req
, isPriv
, mode
, domain
);
1581 TLB::testWalk(Addr pa
, Addr size
, Addr va
, bool is_secure
, Mode mode
,
1582 TlbEntry::DomainType domain
, LookupLevel lookup_level
)
1587 return test
->walkCheck(pa
, size
, va
, is_secure
, isPriv
, mode
,
1588 domain
, lookup_level
);
1594 ArmTLBParams::create()
1596 return new ArmISA::TLB(this);